<br><br><div class="gmail_quote">On Feb 6, 2008 8:46 AM, Mike Miller <<a href="mailto:mbmiller@taxa.epi.umn.edu">mbmiller@taxa.epi.umn.edu</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Wed, 6 Feb 2008, Andy Schmid wrote:<br><br>> On Feb 5, 2008 5:11 PM, Mike Miller <<a href="mailto:mbmiller@taxa.epi.umn.edu">mbmiller@taxa.epi.umn.edu</a>> wrote:<br>><br>>> Thanks, Dave. Very interesting. How about: A random string is the<br>
>> hardest password to guess.<br>><br>><br>> I disagree. There is the chance (albeit very slim to none) that a<br>> random string can produce a password such as '1234', which can be easily<br>> cracked.<br>
<br></div>I thought about that too, but the thing is, if the wouldbe cracker knows<br>that it is a random string (and he would know if that was the design of<br>the system), there will be no benefit to his guessing first things like<br>
"1234," but if he knows that you have disallowed things like "1234", then<br>you have helped him by cutting back on the number of things he must guess.<br><br>So when using random strings you would *not* want to have rules like "must<br>
include both upper case lower case letters, digits and non-alphanumeric<br>characters," because that rule would help a brute-force attacker.<br><font color="#888888"><br>Mike<br></font></blockquote></div><br>This is a good point. But most brute force attacks are done using common passwords across many hosts (typically from worms). If you have constraints put in place that are wide enough, the number of password permutations is still astronomical, with the chance of weak passwords being produced eliminated. Though, its a good idea all around to disable login access for the root account, as well as any other accounts you do not want logging in.<br>
<br>Andy<br>